13

I need:

  • An scp and sftp server
  • With chroot-ed environment
  • With non-login (ssh not allowed for scp/sftp users)

Options and related issues I found:

scponly

  • No updates since more than 6 years
  • Does one really need to recompile the whole thing to make changes in the configuration??

rssh

  • It is told to have plenty of security issues
  • No updates since plenty of years
  • The author himself says that "rssh is done. Period"
  • Ubuntu seems to be maintaining it somehow. Unfortunately, I need it for a CentOS server

ssh-server

  • It does the job with sftp and the chroot, but not with sftp
  • Otherwise it seems quite OK

So, I was wondering what other options might be out there, or how does this particular issue get handled by others.

Julen Larrucea
  • 328
  • 1
  • 2
  • 11
  • Software recommendations are off topic for SF. You should ask on [softwarerecs.se]. – Gerald Schneider Jul 31 '17 at 17:32
  • One possibility is ProFTPD's [`mod_sftp`](http://www.proftpd.org/docs/contrib/mod_sftp.html) module, which does just what you want (chroot, scp/sftp only, no shell). – Castaglia Jul 31 '17 at 21:24
  • @GeraldSchneider: Thanks. But I posted here because most of the related discussions I found are actually on SF. Plus, I was searching for solutions, not necessarily a software recommendation. – Julen Larrucea Aug 01 '17 at 10:22
  • @Castaglia: I didn't know about ProFTPD. It looks really good! Finally I went with the plain SSH solution for now, but I will definitely consider it. Make it an answer, so that I can upvote. – Julen Larrucea Aug 01 '17 at 10:26
  • 1
    Package: rush Description-en: restricted user shell ... The standard use is to create access to a chrooted target directory, typically providing arbitrary combinations of scp, sftp, rsync, cvs, svn, and git. Each service may be further restricted in its capabilities. The administrator configures pattern matching rules for manipulating any incoming request. . The present restricted shell is an alternative to the well known "rssh" package, which provides similar capabilities. – Sam Watkins Sep 21 '19 at 13:02
  • @SamWatkins thanks for the tip, I tried it and it works. Would you like to post it as an answer? – mehov Jan 17 '20 at 12:57
  • @aexl we can't post answers, it's "closed as off-topic" – Sam Watkins Jan 17 '20 at 13:54

2 Answers2

7

I recommend to just use the common chrooted internal-sftp that is included with most OpenSSH servers. SFTP clients are available on all operating systems so I do not see any problems with adoption.

You might also want to refer to this other serverfault question to allow SFTP but not SSH to assist you with your setup.

  • 1
    Well... I followed your advice and stuck to the good old OpenSSH server for now. But that ProFTPD mentioned above sounds really good too, and it seems to support scp and plenty of other stuff. – Julen Larrucea Aug 01 '17 at 10:30
4

One possibility is ProFTPD's mod_sftp module, which does just what you want (chroot, SCP/SFTP only, no shell).

Hope this helps!

Castaglia
  • 3,239
  • 3
  • 19
  • 40